From 53a6f5ddf0c6bf2a8c8c3b757fb54a0c7755daf7 Mon Sep 17 00:00:00 2001
From: Ben Banfield-Zanin <benbz@matrix.org>
Date: Thu, 19 Nov 2020 14:57:13 +0000
Subject: SAML: Allow specifying the IdP entityid to use. (#8630)

If the SAML metadata includes multiple IdPs it is necessary to
specify which IdP to redirect users to for authentication.
---
 synapse/config/saml2_config.py | 10 ++++++++++
 1 file changed, 10 insertions(+)

(limited to 'synapse/config')

diff --git a/synapse/config/saml2_config.py b/synapse/config/saml2_config.py
index f233854941..c1b8e98ae0 100644
--- a/synapse/config/saml2_config.py
+++ b/synapse/config/saml2_config.py
@@ -90,6 +90,8 @@ class SAML2Config(Config):
             "grandfathered_mxid_source_attribute", "uid"
         )
 
+        self.saml2_idp_entityid = saml2_config.get("idp_entityid", None)
+
         # user_mapping_provider may be None if the key is present but has no value
         ump_dict = saml2_config.get("user_mapping_provider") or {}
 
@@ -383,6 +385,14 @@ class SAML2Config(Config):
           #    value: "staff"
           #  - attribute: department
           #    value: "sales"
+
+          # If the metadata XML contains multiple IdP entities then the `idp_entityid`
+          # option must be set to the entity to redirect users to.
+          #
+          # Most deployments only have a single IdP entity and so should omit this
+          # option.
+          #
+          #idp_entityid: 'https://our_idp/entityid'
         """ % {
             "config_dir_path": config_dir_path
         }
-- 
cgit 1.5.1